diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 94a2272..cc98b12 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -87,7 +87,10 @@ jobs:
 
       - name: Deploy helm chart to S3
         run: |
+          pkg=$(ls packaged-chart/kubetruth*.tgz)
+          pkg=${pkg##*/}
           source <(cloudtruth -e production template get deploy.aws_credentials_env)
           source <(cloudtruth -e production template get deploy.helm_package_env)
           atmos -e production auth_exec aws s3 sync packaged-chart/ s3://${BUCKET_NAME}/${BUCKET_PATH}/
-          atmos -e production auth_exec aws cloudfront create-invalidation --distribution-id ${DISTRIBUTION_ID} --paths /index.yaml
+          atmos -e production auth_exec aws cloudfront create-invalidation --distribution-id ${DISTRIBUTION_ID} --paths "/${BUCKET_PATH}/index.yaml" "/${BUCKET_PATH}/${pkg}"
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..75b61a1
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,4 @@
+0.1.0 (12/07/2020)
+------------------
+
+Initial Release
diff --git a/README.md b/README.md
index d8268d4..729bc96 100644
--- a/README.md
+++ b/README.md
@@ -3,34 +3,104 @@
 
 # Kubetruth
 
-The CloudTruth integration for kubernetes that pushes parameter updates into kubernetes config maps and secrets
+The CloudTruth integration for kubernetes that pushes parameter updates into
+kubernetes config maps and secrets.  The goal is to provide you a mechanism that
+is as hands off as possible, using naming conventions to automate the delivery
+of configuration so that you don't have to jump through setup hoops for each
+app/service/etc that you would like to configure with cloudtruth
 
 ## Installation
 
+```shell
+helm repo add cloudtruth https://packages.cloudtruth.com/charts/
+helm install \
+    --set appSettings.apiKey=<api_key> \
+    --set appSettings.environment=<environment> \
+    --set appSettings.keyPrefix=service \
+    my-kubetruth-name cloudtruth/kubetruth
 ```
-helm install
-```
+
+## Uninstall
 
 ```shell
-gem install 'kubetruth'
+helm delete my-kubetruth-name
+helm repo remove cloudtruth
 ```
 
-And then execute:
+## Usage
+
+Parameterize the helm install with `--set appSettings.**` to control how kubetruth matches against your organization's naming conventions:
+
+| Parameter | Description | Type | Default | Required |
+|-----------|-------------|------|---------|:--------:|
+| appSettings.apiKey | The cloudtruth api key.  Read only access is sufficient | string | n/a | yes |
+| appSettings.environment | The cloudtruth environment to lookup parameter values for.  Use a separate helm install for each environment | string | `default` | yes |
+| appSettings.keyPrefix | Limit the parameters looked up to one of these prefixes | list(string) | n/a | no |
+| appSettings.keyPattern | The pattern to match against key names to select params and provide keywords for generating resource names via nameTemplate and keyTemplate | list(regex) | `^(?<prefix>[^\.]+)\.(?<name>[^\.]+)\.(?<key>.*)` | no |
+| appSettings.nameTemplate | The template for generating resources (ConfigMaps and Secrets) | string | `%{name}` | no |
+| appSettings.keyTemplate | The template for generating key names within a resource | string | `%{key}` | no |
+| appSettings.skipSecrets | Do not transfer parameters that are marked as secret | flag | false | no |
+| appSettings.secretsAsConfig | Place secret parameters alongside plain parameters within a ConfigMap instead of in their own Secret resource | flag | false | no |
+| appSettings.pollingInterval | Interval to poll cloudtruth api for changes | integer | 300 | no |
+| appSettings.debug | Debug logging | flag | n/a | no |
+
+For example, for a keyspace that looks like:
+```
+service.someServiceName.oneParam=value1
+service.someServiceName.twoParam=value2
+service.otherServiceName.someParam=val1
+service.otherServiceName.mySecret=val2 (marked as a secret within CloudTruth)
+```
 
-    $ kubetruth --help
+and parameterization like:
+```
+    --set appSettings.keyPrefix=service \
+    --set appSettings.keyPattern=^(?<prefix>[^\.]+)\.(?<name>[^\.]+)\.(?<key>.*) \
+    --set appSettings.namePattern=%{name} \
+    --set appSettings.keyPattern=ACME_%{key_upcase} \
+```
 
+Kubetruth will generate the config maps:
 
-## Usage
+someServiceName:
+```yaml
+    ACME_ONEPARAM: value1
+    ACME_TWOPARAM: value2
+```
 
-TODO: Write usage instructions here
+otherServiceName:
+```yaml
+    ACME_SOMEPARAM: val1
+```
 
-## Development
+and the Secrets:
+
+otherServiceName:
+```yaml
+    MYSECRET: val2
+```
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+These kubernetes resources can then be referenced in the standard ways, e.g.
+
+```yaml
+    envFrom:
+      - configMapRef:
+          name: otherServiceName
+    envFrom:
+      - secretRef:
+          name: otherServiceName
+```
+
+Note that config map updates don't get seen by a running pod.  You can use
+something like [Reloader](https://github.com/stakater/Reloader) to automate
+this, or read config from mounted volumes for configmaps/secrets, which do get
+updated automatically in a running pod
+
+## Development
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/wr0ngway/kubetruth.
+Bug reports and pull requests are welcome on GitHub at https://github.com/cloudtruth/kubetruth.
 
diff --git a/helm/kubetruth/templates/NOTES.txt b/helm/kubetruth/templates/NOTES.txt
index 29a64bd..8b13789 100644
--- a/helm/kubetruth/templates/NOTES.txt
+++ b/helm/kubetruth/templates/NOTES.txt
@@ -1,2 +1 @@
-Supply the cloudtruth api key in appSettings.apiKey
 
diff --git a/helm/kubetruth/templates/deployment.yaml b/helm/kubetruth/templates/deployment.yaml
index e0ddceb..9e44786 100644
--- a/helm/kubetruth/templates/deployment.yaml
+++ b/helm/kubetruth/templates/deployment.yaml
@@ -35,30 +35,36 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          env:
-            - name: CT_API_KEY
-              value: {{ required "The cloudtruth api key needs to be set in .Values.appSettings.apiKey!" .Values.appSettings.apiKey }}
+          envFrom:
+            - secretRef:
+                name: {{ include "kubetruth.fullname" . }}
           args:
             - app
             {{- if .Values.appSettings.environment }}
             - --environment
-            - {{ .Values.appSettings.environment }}
+            - {{ .Values.appSettings.environment | quote }}
             {{- end }}
             {{- with .Values.appSettings.keyPrefix }}
             - --key-prefix
-            - {{ toYaml . }}
+            - {{ toYaml . | quote }}
             {{- end }}
             {{- with .Values.appSettings.keyPattern }}
             - --key-pattern
-            - {{ toYaml . }}
+            - {{ toYaml . | quote }}
             {{- end }}
             {{- if .Values.appSettings.nameTemplate }}
             - --name-template
-            - {{ .Values.appSettings.nameTemplate }}
+            - {{ .Values.appSettings.nameTemplate | quote }}
             {{- end }}
             {{- if .Values.appSettings.keyTemplate }}
             - --key-template
-            - {{ .Values.appSettings.keyTemplate }}
+            - {{ .Values.appSettings.keyTemplate | quote }}
+            {{- end }}
+            {{- if .Values.appSettings.skipSecrets }}
+            - --skip-secrets
+            {{- end }}
+            {{- if .Values.appSettings.secretsAsConfig }}
+            - --secrets-as-config
             {{- end }}
             {{- if .Values.appSettings.pollingInterval }}
             - --polling-interval
diff --git a/helm/kubetruth/templates/secret.yaml b/helm/kubetruth/templates/secret.yaml
new file mode 100644
index 0000000..1de0b95
--- /dev/null
+++ b/helm/kubetruth/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kubetruth.fullname" . }}
+  namespace:  {{ .Release.Namespace }}
+  labels:
+    {{- include "kubetruth.labels" . | nindent 4 }}
+data:
+  CT_API_KEY: {{ required "The cloudtruth api key needs to be set in .Values.appSettings.apiKey!" .Values.appSettings.apiKey | b64enc | quote }}
diff --git a/helm/kubetruth/values.yaml b/helm/kubetruth/values.yaml
index 9ed59c0..9f1f3b0 100644
--- a/helm/kubetruth/values.yaml
+++ b/helm/kubetruth/values.yaml
@@ -72,5 +72,7 @@ appSettings:
   keyPattern: []
   nameTemplate:
   keyTemplate:
+  skipSecrets: false
+  secretsAsConfig: false
   pollingInterval:
   debug: false